08-26-2015 01:15 AM - edited 03-11-2019 11:29 PM
hi all
i am realy have trouble to understand ASA firewall's ACTIVE/ACTIVE mode, and router support's HSRP/VRRP/GLBP. the only thing i know about it by all reading is, ACTIVE/ACTIVE provide all line(e.g two line at same time pass different set of traffic ) routing and have high avibility. but for what i know about routing the router do have this loadbalance + failover by use HSRP/VRRP/GLBP and the ASA do support the them why shoud ASA use the ACTIVE/ACTIVE that can have trouble like uRPF or even have problem on some VPN link. can some one give some explain this to me?
08-26-2015 11:40 AM
Hi;
Think the ASA on Active/Active as creating VRFs on a router, that way would be simpler. Only one context can be active in each of the firewalls so all routing problems or VPN issues will not apply. It is just virtual firewalls.
In fact, you can have all the Contexts, (virtual firewalls) configured in just one ASA, the fact that makes it Active/Active is that some of the contexts are Active in one ASA and some others are active in another ASA.
Mike.
08-26-2015 05:46 PM
i am new to this ASA Active/Active so correct me if i am wrong
so what you means is:
--othere end of device inetrfasce-- router 1
ASA 1 ---interface0/0-- --other end of device interrface -- router 2
---virtual-like one interface for ASA-- +switch- --other end of device interface-- server 2
ASA 2 ---interface0/0-- --other end of device interface -- server1
all the router and serverd area see the ASA1 and ASA2 as one link or one firewall.
is this graphic explain the thing you area talk about?
but if this is the case then , i will have double Active/Active that will have many to many relation to other end servers and routers, and if the router end and sever end do not have any NAT setting then will lead to uRPF.the only way i know to solve it to increase the interface active can use phycial interface or can use sub interface over ASA side. to make the relastion ship act as one tp many. and will have hard time when doing troubshooting. if that is true than why need the Active/Active at all simple add new interface to relate to each other end device will be much easy to manage.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide